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Abstract 



A univariate polynomial / over a field is decomposable \f f = g o 
h = g{h) for nonlinear polynomials g and h. In order to count the 
decomposables, one has to know the number of equal-degree collisions, 
that is f = g o h = g* o h* with {g,h) ^ {g*,h*) and deg^ = degg*. 
Such collisions only occur in the wild case, where the field characteristic 

■ p divides deg/. Reasonable bounds on the number of decomposables 
CD . over a finite field are known, but they are less sharp in the wild case, 

in particular for degree p^. 
ly-^ ■ We provide a classification of all polynomials of degree with a 

. collision. It yields the exact number of decomposable polynomials of 

\ degree over a finite field of characteristic p. We also present an 

■ algorithm that determines whether a given polynomial of degree p^ 
has a collision or not. 

>■ 
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1 Introduction 



The composition of two polynomials g.h G F[x\ over a field F is denoted as 
f = g oh = g{h), and then {g, h) is a decomposition of /, and / is decompos- 
able if 5^ and /i have degree at least 2. In the 1920s, Ritt, Fatou, and Julia 
studied structural properties of these decompositions over C, using analytic 
methods. Particularly important are two theorems by Ritt on the uniqueness, 
in a suitable sense, of decompositions, the first one for (many) indecompos- 
able components and the second one for two components, as above. 

The theory was algebraicized by Dorey & Whaples (1974), Schinzel (1982, 
2000), Zannier (1993), and others. Its use in a cryptographic context was sug- 
gested by Cade (1985). In computer algebra, the method of Barton & Zippel 
(1985) requires exponential time but works in all situations. A breakthrough 
result of Kozen & Landau (1989) was their polynomial-time algorithm to 
compute decompositions. A fundamental dichotomy is between the tame 
case, where the characteristic p does not divide degg^ and this algorithm 
works, see von zur Gathen (1990a), and the wild case, where p divides degg^, 
see von zur Gathen (1990b). In the wild case, considerably less is known, 
both mathematically and computationally. Zippel (1991) suggests that the 
block decompositions of Landau & Miller (1985) for determining subfields 
of algebraic number fields can be applied to decomposing rational functions 
even in the wild case. This was shown to be valid by Blankertz (2011). 

The task of counting compositions over a finite field of characteristic p 
was first considered in Giesbrecht (1988). Von zur Gathen (2009) presents 
general approximations to the number of decomposable polynomials. These 
come with satisfactory (rapidly decreasing) relative error bounds except when 
p divides n — degf exactly twice. The main result (Theorem 6.7) of the 
present work determines exactly the number of decomposable polynomials in 
one of these difficult cases, namely when n = p^ and hence deg g = deg h = p. 

This is shown in three steps. First, we exhibit some classes of collisions 
in Section 3. Their properties are easy to check. The second step shows that 
these are all possibihties (Theorem 5.1). Section 4 introduces the necessary 
tools from the ramification theory of function fields, and Section 5 proves 
this classification. The third step is to count the resulting possibilities, in 
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Section 6. 

Our contribution is fourfold: 



• We provide explicit constructions for collisions at degree r^, where r is 
a power of the characteristic p > 0. 

• We provide a classification of all collisions at degree p^, linking every 
collision to a unique explicit construction. 

• We use these two results to obtain an exact formula for the number of 
decomposable polynomials at degree p^. 

• The classification yields an efficient algorithm to test whether a given 
polynomial has a collision or not. 

2 Definitions and examples 

We consider a field F of positive characteristic p. An (equal-degree) k- 
collision is a set of k distinct pairs {g, h) of monic original nonlinear polyno- 
mials in F[x\, all with the same composition f = goh and degg the same for 
all {g, h). A /c-collision is called maximal if it is not contained in a (A; + 1)- 
collision. It is called proper ii k > 1. We also say that / has a (maximal, 
proper) fc-coUision. 

Composition of g and h with linear polynomials introduces inessential 
ambiguities in decompositions. Thus we may assume /, g, and h to be 
monic and original, that is with leading coefficient 1 and constant coefficient 
0, and define 



We sometimes leave out F from the notation when it is clear from the context. 
The following is a simple example for a collision. 

Example 2.2. Let r = p^. For h e Pr{F), we have 



where is the e-th power of the Frobenius endomorphism on F , extended to 
polynomials coefficientwise. Ii h ^ x^, then {{x^,h), {(pr{h),x^)} is a proper 
collision and we call it a Frobenius collision. 



Pn{F) 
Dn{F) 
Cn,k{F) 



{/ e F[x\ : f is monic and original of degree n}, 

{/ e Pn{F) : / is decomposable}, 

{/ e Pn{F) : f has a maximal /c-coUision}. 



(2.1) 



x^oh — (fir{h) o x'^, 
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In the case r — p we have the following results. 

Lemma 2.3. (i) Assume that f e Pp'^{F) has a proper collision. Then it 
is a Frobenius collision if and only if f = 0. 

(a) Frobenius collisions of degree p^ are maximal 2-collisions. 

Proof. Prom the definition follows that the derivative of a Frobenius collision 
is 0. 

Let / G Pp2[F) with /' = 0. Then / G F[xP] and thus f = gox^ ioi some 
monic original polynomial g. Assume f = g* o h* is another decomposition 
of /. Since / and h* determine g* uniquely, we have h* ^ x^. Thus from 
/' = g*'{h*)-h*' — follows g*' — and hence g* — x^. Furthermore 
g^ipp{h*). □ 

In the finite case F — ¥q, (fpis an automorphism and thus for / G Pp2(Fg), 
f' — O imphes that either f — x^ or / is a Frobenius collision. 

Another example of decomposable polynomials is provided by the class 
of additive polynomials. For a power g of p, a polynomial A of degree g** is 
q-additive if it is of the form A = J2o<i<K <^i^^' with all G F. We call a 
polynomial additive if it is p-additive. Additive polynomials act additively on 
F, that is A{a + b) — A{a) +A{b) for all a, b e F. Moreover the composition 
of two additive polynomials is additive. 

For a divisor d oi q — 1, the {q, d) -subadditive polynomial associated with 
the g-additive polynomial A is a polynomial S of degree q^ of the form S — 
^(So<j<K ^»^^^'~^^^'')'^- relation between A and 5" is given hy x''' o A — 
S o x'^. Subadditive polynomials are also called sub-linearized polynomials 
and appear in connection with exceptional polynomials in Cohen (1990). 

The decomposition of additive and subadditive polynomial is studied in 
Giesbrecht (1988), Henderson & Matthews (1999), Coulter et al. (2004), and 
von zur Gathen et al. (2010). Henderson & Matthews (1999) prove that each 
decomposition of a g-additive polynomial into g-additive polynomials yields a 
decomposition of the corresponding (g, (i)-subadditive polynomial into (g, d)- 
subadditive polynomials. In the special case q = p and degree p'^, this also 
follows from Fact 3.1 and Theorem 5.1. The following is a simple example. 

Example 2.4. Let p be an odd prime, r a power of p, and a G F^. Then 

{x^ + ax) o [x^ — ax) — {x'^ — ax) o [x'^ + ax) is a 2-collision. 

For / G Pn{F) and w E F, the original shift of / by w is 

= {X- f{w)) ofo{x + w)e Pn{F). 
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We also simply speak of a shift. Original shifting defines a group action of 
the additive group of F on Pn{F). Indeed, we have for w,w' e F 

(jW^K) = _ /^(w')) o o {x + w') 

= {x — {f{w' + w) — f{w))) o [x — f{w)) o f o (x + w) o [x + w') 

= (x - f{w' + w)) O / o (x + + w) = /("''+"'). 

Furthermore, for the derivative we have (/("'))' = /' o (,T + w). Shifting 
respects decompositions in the sense that for each decomposition (51, h) of / 
we have a decomposition (g^^^'^^\ h^'^^) of f'^'^\ and vice versa. We denote 
(^g{h{w))^f^{u,)^ by {g,hY'"\ 

The second degree dcg2(/) of a monic polynomial / is the degree of / — 
2;dcg(/)^ with deg2(a;") = —00. We use the following fact. It was stated in 
Proposition 6.5 (i) of von zur Gathen et al. (2010) for F = F^. 

Fact 2.5 (von zur Gathen et al. (2010), Proposition 6.5 (i)). Let C he a 

proper non-Frohenius collision of degree p^. Then there is an integer d with 
1 < d < p such that deg2(5') = dcg2(/i) = d for all {g, h) G C . 

Proof. For (gf, h) e C, we write £ — deg2 g, m — deg2 h, 

g^xP + gtx^ H h gix, 

h^xP + hmx"" H h hix, 

f^goh^xP" + fp..,xP"-' + • • • + /ix, 

with all fi,gi, hi E F, 1 < i,m < p, and gehm 7^ 0. The highest terms in 
and g o h are given by 

= {xP + hmx"" + Oix""-^))^ 
= x^P + IhrnX^^-^^P^"^ + 0(a;^^-^>+"^-^), 
goh^xP^ + hP^x'^P + {0{x'^-^))P + gtx^P + £c/^/i^x(^-^>+"^ 

+ 0(x(^-^>+"^-^) + 0(x(^-^>). (2.6) 

Thus the highest term deg/' = (^ — l)p + m — 1. Since 1 < i,m < p, {i, m) 
is determined by i and hence by /, and identical for all [g, h) e C. 

Algorithm 4.10 of von zur Gathen (2010a) computes the components g 
and h from /, provided that 7^ 0. We do not assume this, but can 
apply the same method. Once g^ and h^ are determined, the remaining 
coefficients first of /i, then of gf, are computed by solving a linear equation 
of the form uhi = v, where u and v are known at that point, and u 0. 
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Quite generally, g is determined by / and h. Now take some {g*, h*) e C. If 
{.9£i Kn) = idi, h'^), then {g, h) = {g*, h*) by the uniqueness of the procedure 
just sketched. Inspection of the coefficient of (2.6) shows that 

ge = gl if and only if hm = h*^. Now assume that £ ^ m. Then dcg2(5' o h) 
is one of the two distinct integers mp or £p. Either /i^ (and hence hm) 
is determined by /, namely ii m > £, and otherwise gi is. In either case, 
we conclude from the above that {g,h) — {g*,h*). This contradiction to 
{g, h) ^ {g*, h*) shows that £ ^ m. □ 

3 Explicit constructions at degree 

This section presents explicit collisions at degree r^, where r is a power of the 
characteristic p. We recall a known construction in Fact 3.1 and present a new 
one in Theorem 3.14. In Section 5, we show that together with the Probenius 
collisions, these examples and their shifts comprise all proper collisions at 
degree p^. 

Fact 3.1 (von zur Gathen et al. (2010), Theorem 6.1). Let r be a power of 
p, u,s e F"", e e {0,1}, t e T = {t e F: - eut + u^O}, m a positive 
divisor of r — 1, i — {r — l)/m, and 

f = S{u, s, e, m) = x(x^(''+^) - + iis''+^)"*, (3.2) 

g = x{x^ - us't-')"^, 
h - x{x^ - st)"^. 

Then f — g o h, and f has a ^T-collision. 

In von zur Gathen et al. (2010), this result is stated for F — F^. The 

argument consists of an easy verification of the identity and the observation 
that / does not depend on t, while there are #T different values for the 
(r — £)th coefficient of h 

hr-e — —mst 7^ 0. 

This proof is valid for arbitrary fields of characteristic p. The value S{u, s, e, m) 
is an (r, m)-subadditive polynomial, and is additive for m = 1. See Giesbrecht 
(1988) for the decomposition of additive polynomials, Henderson & Matthews 
(1999) for the connection between the decomposition of additive and subaddi- 
tive polynomials, and Coulter et al. (2004) for the number of indecomposable 
subadditive polynomials and an algorithm to decompose subadditive polyno- 
mials. 
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Fact 3.3 (von zur Gathen et al. (2010), Proposition 6.2). Letr be a power of 

p. Let u, s, e, t, m, andu*, s* , e* , t* , m* satisfy the conditions of Fact 3.1, 
w,w* e F, f = S{u,s,s,m)^'"\ and f* = S{u*,s*,s*,m*)^'^*\ Then the 
following hold. 

(i) If f — f*, then e — e* and m — m* . 

(a) If e — 1 and m > 1, then f = f* if and only if u — u* , s — s* , and 
w — w*. 

(Hi) If e = 1 and m = 1, then f = S{u, s, 1, l)*-"-*, and f = f* if and only if 
u = u* and s = s*. 

(iv) If e = and m > 1, then f = S{0 — 1, st, 0, m)*^""), and f = f* if and 
only if w = w* and s''^^ = {s*Y~^^ . 

(v) If s = and m~l, then f — 5'(— 0, 1)*-°^ and f — f* if and only 

Proof. We have 

f = Siu,s,6,m)^^^ 

fr^-er = -mens'', (3.4) 
fr^-Er-e = mus''^^ ^ 0. (3.5) 



Therefore 



A r jr^-ir if £ = 1, 

r^ — £r — £ if £ = 0. 



Furthermore, p \ r — 1 — £m, so that p \ £. We have e = 1 if and only if r 
divides dega / = deg2 /*. For each value of £, deg2 / determines m uniquely. 
This proves (i). 

We list some observations for m = 1, m > 1, e = 0, and e = 1. An 
appropriate combination of them proves (ii) through (v). 
For m = 1, / is additive and therefore 

f = S{u,s,e,l)^^^=S{u,s,e,lp (3.7) 

for all w e F„. 
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For m > 1 the coefficient of x^^ ir e i ^^^^ m)^"') is 

fr'^-er-e-i = —iwfr2^er-e- (3.8) 

Since —ifr2^er-e 0; we have S{u,s,e,mY'^^ — S{u,s,e,mY'^*'> if and only 
if w = w*. 

For £ = 1, we find from (3.4) and (3.5) 

S — —fr'^-ir-e/ fr'^-er, 
U = fr2-ir/{-ms''), 

depending only on /. 

For £ = 0, we have — —u and 

S(u,s,0,m)^'^^ = (x(x^('-+^) - {sty+^ry""^ = 5(-l,st,0,m)("'). (3.10) 

Given S'(-l, s, 0, m)^"'^ = 5'(-l, s*, 0, m*Y'^*\ we have m ^ m* and w = 
by the above. We shift originally by —w, divide by x, take m-th roots, and 
compare the constant terms to obtain = (s*)^+^. □ 

We now present an algorithm to identify the examples of Fact 3.1 and 
their shifts. The algorithm involves divisions which we execute conditionally 
"if defined". Namely, for integers the quotient is returned if it is an integer, 
and for field elements if the denominator is nonzero. Otherwise, "failure" is 
returned. We assume a routine for (r + l)st roots. Given a field element it 
produces an (r + l)st root, if it exists, and "failure" otherwise. Furthermore, 
we assume that we can compute the product of two polynomials of degree at 
most n with M(n) field operations. 

Theorem 3.12. Algorithm 3.11 works correctly as specified. If F — ¥q, it 
takes 0{n\ogn) + 0(M(r) logr log(5r)) = 0{n\og{nq)) field operations on 
input a polynomial of degree n — r^. 

Proof. For the first claim, it is sufficient to show that for uq, Sq, Eq, thq as in 
Fact 3.1 and Wq E F the algorithm does not fail on input / = S{uo, Sq, Eq, moY'^°\ 

By (3.6), we have r | deg2/ if and only if £ = 1. Therefore £ = £o and 
since (3.6) determines uiq and io uniquely, we find m = mo and i = io. If 
£ = 1, steps 5 and 6 recover s = sq and u — uq from the coefficients of /, 
by (3.9). If £ = 0, (3.10) shows S{uo, So,0,moY'"°^ = S{-1, s,0,moY'^°^ for 
some s. We obtain one such s in step 10 by (3.5) with u = —1. Any other 
(r + l)st root of that equation leads to the same value of S by Fact 3.3 (v). 

Finally, (3.7) shows that w = is a valid choice if m = 1 and otherwise 
w is uniquely determined by (3.8) yielding w — wq. An / of the assumed 



(3.9) 
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Al 


^orithm 3.11: Identify simply original polynomials 




Input: polynomial / = YlifiX^ G Pr^{F) with all fi^F and r a 






power of char F 




Output: integer A;, parameters u, s, e, m as in Fact 3.1, and w & F 






such that / = S{u, s, £, m)*^"'^ is a A;-collision, if such values 






exist, or "failure" 




if deg2 / = — oo then 


2 




return "failure" 


3 


else if r 1 deg2 / then 


4 




£ ■<— (r^ — deg2 f)/r and m ^ (r — l)/£ if defined 


5 




s < fr'^-ir-i/ fr^~er if defined 


6 




u < fr2-ir/'>TT'S^ if defined 


7 




e ^ 1 


8 


else 


9 




£ ^ (r^ — deg2 f)/{r + 1) and m (r — if defined 


10 




find s with s^~^^ — —fr^-ir-e/i^ if defined 


11 




u i 1 


12 




£ ^ 


13 


end 


14 


if m = 1 then 


15 







16 


else 


17 




^ fr^-ir-e-i/^fr^-er-i if defined 


18 


end 


19 


if / = 5(?i,s,£,m)("') then 


20 




A: ^ dcgi(gcd(i« - - eut + u)) 


21 




return k, u, s, e, m, w 


22 


end 


23 


return "failure" 
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form passes the final test in step 19, wfiile an / of a different form will fail 
at the latest here. The size of the set T — {t e F: T"*"^ — eut + u — 0} is the 
number of decompositions of / and computed in step 20. 

In the following cost estimate for F = Fg, we ignore the (cheap) operations 
on integers. The root extraction in step 10 takes 0(M(r) logr log(gr)) field 
operations; see (von zur Gathen & Gerhard, 2003, Corollary 14.16). The 
calculation of the right-hand side in step 19 takes 0{nlogn) field operations, 
and the test another n operations. The cost of all other steps is dominated 
by this estimate. □ 

Let Cjf^ denote the set of maximal /c-coUisions that are of the form (3.2) 
or shifts thereof. Over a finite field, their exact number can be computed 
from Corollary 6.3 in von zur Gathen et al. (2010). 

Fact 3.13 (von zur Gathen et al. (2010)). Let r he a power of p, q a power 
of r, F = ¥q, and r the number of positive divisors ofr — 1. For k>2, we 
have 



ifk = 2, 



2(r-l) 
(rg-g + l)(g-l)(g-r) 
r(r^ — 1) 

otherwise. 



if k — r + 1, 



Proof. For £ = 1, we have to consider it e such that — uy + u e 
¥g[y] has exactly k roots. Let a, 6 £ F^ and u — a^'^^b"'^. The invertible 
transformation x y = —ab~^x gives a bijection 

{ye¥^: -uy + u^O} ^ {x e¥^: + ax + b^O}. 

Every value of u corresponds to exactly q — 1 pairs (a, b), namely an arbitrary 
a G F^ and b uniquely determined as b^ = u~^a'^~^^. Theorem 5.1 and 

(2) 

Proposition 5.4 of von zur Gathen et al. (2010) determine numbers c^ lf. such 

(2) 

that there arc exactly Cq lk/{q — 1) values for u. Therefore the number of 

(2) (2) 

/c-coUisions is Cg^i^ for the form described in (iii), and Cq lj^q{T — 1) for the 
form described in (ii). 

For £ = 0, (3.2) is a /c-coUision if only if = 1 has exactly k solutions, 
according to Fact 3.3 (iv) and (v). This equation has exactly 7 = gcd(r + 
1, g — 1) solutions in F^ . Furthermore there are (g — l)/7 values for s G F^ 
which yield pairwise different s^"*"^. The number of /c-collisions of the form 
described in (v) is therefore 5^=k • (g — l)/7, and of the form described in (iv) 
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5j=k • Qi^ ~ ~ l)/7) taking into account the r — 1 possible divisors i and 
q choices for w. This yields 

#Cf ) = (g • r - g + 1) • (4^,, + <^.=.^) ■ 

(2) 

We now use the explicit expressions for c^^^ determined in the work cited 
above. With q = r"', we have 



c. 



i'i-^)i'ir-2<i-2r+3) jf ^ and d are odd, 



,(2) ^ ) 2(r-l) 
2(r-l) 

— — 11 a IS even, 



(2) _ ) r(r2-l) 

if (i is odd 



^q,r,r+l ^ (g-r)(g-l) 



r(r2-l) 

Furthermore, for 7 = gcd(r +l,q — l), we have from Lemma 3.29 in von zur 
Gathen (2008) 

{1 if (i is odd and r is even, 

2 if 0? is odd and r is odd, 
r + 1 if (i is even. 

The claimed formulas follow from 

{q-l)Hr-2) 



.(2) , X g~ ^ J 2{r-l) - ^' 

•^■'■■'^ 7 l^^^ifei forfc = r + l. □ 



r(r2-l) 

The second construction goes as follows. 

Theorem 3.14. Let r be a power of p — charF, b e , a e F \ {0,6''}, 
a* — — a, m an integer with 1 < m < r — 1 and p\m, m* — r — m, and 

f = M{a, b, m) = x""""' {x - b)"^""* {x"' + a*b-'{{x - 6)™ - x"^))"" 

^"^"•(^ (3.15) 

h = x' + a*b-''{x"'*{x-b)"' -x''), 

g* ^x'^^x-a*)"', 

h* ^x'- + ab-'^ix^'ix - b)"^* - x^. 

Then f = goh = g*oh*& Pr^i^F) has a 2-collision. 
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Proof. Let 

H = h/x"'* = x"^ + a*h-'\{x - 6)" - X™), 
H* = hrjx^ = x"** + a6-''((x - 6)"** - x'"*) 

Then /i - a = (x - 6)"^//* and /i* - a* = (x - 6)"^*//. It follows that 

goh^g*oh* ^ x'"™* (x - b)"'-^'H"'(^H*)"'' = f. (3.17) 

If = g*, then m = m*, 2m = r and thus 2 = p | m, a contradiction. 
Thus / is a 2-collision. □ 

Avanzi & Zannier (2003) deal with coUisions of compositions of rational 
functions over C. Mike Zieve (2011) points out that case (4) of their Proposi- 
tion 5.6 can be transformed into (3.15). Zieve also mentions that this example 
already occurs in unpublished work of his, joint with Bob Beals. 

For r < 4, there is no value of m satisfying the assumptions. The 
construction works for arbitrary a & F and 1 < m < r — 1. But when 
a e {0,b^}, we get a Frobenius collision, see Example 2.2. In case p | m we 
get / = x^" o M(a, bf" ,mo) o x^" , with m — p^rrio and p f mo. When m = 1 
or r — 1, we get a shift of (3.2). 

The polynomials from (3.2) are "simply original" in the sense that they 
have a simple root at 0, and those from (3.15) are "multiply original" in the 
same sense. This motivates the designation S and M. In Theorem 5.1 we 
use F to denote Frobenius collisions. 

Next, we describe the (non)uniqueness of this construction. We take all 
polynomial gcds to be monic. 

Proposition 3.18. Let b e F^ , a G F \ {0, fe*"}, 1 < m < r — 1 with p \ m, 
and f = M{a, b, m) as in (3.15). Then the following hold. 

(i) In the notation from the proof of Theorem 3.14 we have r > 5, m ^ m* , 
H and H* are squarefree and coprime, and both do not vanish at or 
b. 

(a) The stabilizer of f under original shifting equals {0}. In particular, for 
F — ¥g the orbit of f under shifting has size q. 

(Hi) Forai, bi, mi satisfying the conditions of Theorem 3.14, we have M{a, b, m) = 
M(ai,bi,mi) if and only if {ai,bi,mi) G {{a,b,m), {a* ,b,m*)}. If we 
impose the additional condition m < r/2, then {a,b,m) is uniquely 
determined by M{a, b, m). 



(3.16) 
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(iv) There are exactly two polynomials of the form (3.15) in the orbit under 
original shifting of f, namely f and f^^^ — M{—a*, —b,m). 

Proof. (i) In the previous proof, we noted that m ^ m*. Hence r > 5. 
Prom mH - xH' = ma*6-^(x + 6)"^-^ and H{0), H{-b) 0, we find 
that H is squarefree, and similarly H*. Since H \ h, H* \ {h-\- a), and 
gcd(/i, /i + a) = 1, we have gcd(i7, H*) — 1. 

(ii) We denote the coefficient of x^ in / by fi, and similarly for g and h. 
For the composition f — g o h, we find 

fr^-r-2 = 9r-lihl_i — hr-2), 

since r > 2. For the shift composition /'^"'^ = giK'^)) oh^'^\ we have the 
coefficients 

—m*a ^ 0, 

-ma* {-by-'' ^ 0, 

whr-l- 

Thus, fr2-r-2 — f^!_r-2 ^olds if and only if w = 0. 

(iii) Sufficiency is a direct computation. Conversely, assume that / — 
M{a, b, m) = M(ai, bi, mi) = fi. From (i) and the multiplicity mm* of 
and b in /, we find mm* — mim\ and bi — b. If necessary, replacing 

{a,b,m) by {a* ,b,m*), we obtain m^ = m. Dividing / and fi by their 
first two factors in (3.17) gives H"\H*)'^'' = H^iH;)""*. Hence by (i), 
we find Hi = H and thus Oi = a. 

(iv) It is easy to check that /(^) = M( —a*,—b,m). We now show that if 
f^'^^ equals some fi = M{ai, bi,mi), then w is or b. By (iii), we may 
assume that m,mi < r/2. We have 

g' ^m*ax"'-\x-ar*-\ 

h' = ma*b-''+^x'^*-\x - b)"'-\ 

f'^{g'oh)-h' 

= mm*aa*b~'+\x{x - h))'^rn* -l jjm-l ^jj*,^m* -l _ (3 ;^9) 

Now (i) and p \ mm* show that /' has roots of multiplicity mm* — 1 
exactly at and b and otherwise only multiplicities at most m* — 1 < 
mm* — 1. Furthermore, {f^'^^)' = f'{x + w) has roots of multiplicity 



9r-l — 9r-l — 



(w) 
r-1 
(w) 
r-2 



K-1 
hr-2 
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mm* — 1 exactly at —w and b — w. Similarly, /i has roots of multiplicity 
mim* — 1 at and 6i, and all other multiphcities are smaller. It follows 
that mm* = mim\ and m = mi. Furthermore, one of —w and b — w 
equals 0, so that w e {0, 6}. □ 

We now provide an exact count of these collisions over ¥q, matching 
Fact 3.13. When r < 4, there are no polynomials of the form (3.15). 

Corollary 3.20. For r > 3 and F = ¥q, the number of polynomials that are 
of the form (3.15) or shifts thereof is 

q{q-l){q-2)ir-l-2) 



Proof. There are q — 1, q — 2, r — r /p — 2 choices for the parameters b. a, 
m, respectively. By (iii), exactly two distinct parameter values generate the 
same polynomial (3.15). By Proposition 3.18 (ii), the shift orbits are of size 
q and by (iv), they contain two such polynomials each. □ 

The following Algorithm 3.21 finds the parameters for polynomials over 
a field F of characteristic p > that are original shifts of (3.15), just as 
Algorithm 3.11 did for original shifts of (3.2). We assume a routine for 
extracting square and pth roots. Given a field element, it produces a root, 
if one exists, and "failure" otherwise. For a polynomial / of degree at least 
2 and a nonzero polynomial g, we determine the maximal integer k such 
that f'^ divides g using a "binary search"-hke subroutine. First, compute 
/^^ for J = 1,2,... by repeated squaring until the result does not divide g. 
Second, employ binary search to find the exponent with the desired property 
between 2^^^ and 2^ . We take all polynomial gcds to be monic, except that 
gcd(0,0) = 0. 

Theorem 3.22. Algorithm 3.21 works correctly as specified. If F = F,,, it 
takes 0(M(n) logn + n log q) field operations on input a polynomial of degree 
n. 

Proof. For the correctness, it is sufficient — due to the check in step 21 — to 
show that for gq, bo, mo as in Theorem 3.14 and Wq G F, the algorithm does 
not return "failure" on input / = M{ao,bo,moY'^°\ By Proposition 3.18 (i), 
we have r > 5 and by (iii), we may assume mo < r/2. 

By (3.19) and Proposition 3.18 (i), we have after steps 1 and 2 

r ^mo{r-mo)-ljjmo-ljj*r-mo-l if p > 2, 

~ |^(mo(r-mo)-l)/2^Jmo-l)/2^*(r-mo-l)/2 jf p = 2, ^^'^^^ 
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Algorithm 3.21: Identify multiply original polynomials 



Input: polynomial / G Pr2{F) with r a power of p = charF 
Output: parameters a, 6, m, as in Theorem 3.14, and w E F such that 
/ = M(a, 6, m)("'\ if such values exist, and else "failure" 

1 fo^f/W) 

2 if p = 2 then /q /g^^ if defined 

3 /i ^ /o/gcd(/o, /^) if defined 

4 if deg/i < 2 then return "failure" 

5 determine the maximal A; such that | /o by binary search 

6 if p = 2 then /c ■<— 2A; 

7 m min{/c + 1, r — k — 1} 

8 if p = 2 or p \ rri^ + 1 then 

9 I /3^gcd(/r™,/')/gcd(/r"^-s/o 

10 else 

h ^ fl (lc(/0 • gcd(/[— \ /O) if defined 

determine the maximal I such that divides every exponent of x 
in /2 



2 

/s ^ /2/gcd(/2, /^) if defined 

15 end 

16 if deg/a 7^ 2 then return "failure" 

17 let Xi and ^2 be two roots of /a in F if defined 

18 h X2 — Xi and w < Xi 

19 let ai and a2 be the two values of a e F such that 

= —m^a{h — ab^'"") if defined 

20 for i = 1, 2 do 

21 if / = M(ai, 6, m)("') then 

22 I return ai,b,m,w 

23 end 

24 end 

25 return "failure" 
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with if — {x-\- Wq) {x — bo + Wq) , Hi — H o (x + Wo) , — H* o [x + Wq) , and 
H,H* as in (3.16). Let 5,e,e* be 0, if p divides the exponent of </?, Hi, H*, 
respectively, in (3.23), and be 1 otherwise. Then 



gcd(/o, /^) = 
and step 3 computes 
We have 



^Tno{r-mo)-l-S jjmo-l~£ jj*r-mo-l-£* if p > 2 



(^(mo(r-mo)-l)/2-5^|"io-l)/2-£^*(r-mo-l)/2-£* if p = 2, 



h^if'HlHf. (3.24) 



otherwise, 



For odd p this follows from mo(r — mg) — 1 = —itlq'^ — 1 mod p and for p = 2 
from 4 \ rriQ^ + 1. The sum of the exponents of Hi and H* in (3.23) is r — 2 
for odd p and r/2 — 1 for p = 2. In either case, it is coprime to p and this 
shows £ 1, or £* = 1, or both. If £ = 0, then mo = 1 mod p, and thus 
mo^ = 1 mod p. Hence p \ hiq^ + 1 and 5 = 1. Similarly, £* = implies 
5 = 1, and we find that at least two of 6, e, e* take the value 1. 

This implies deg /i > 2 and step 4 does not return "failure". If p > 2, then 
the k determined in step 5 equals either mo — 1, namely, if e = 1, or r — mo — 1, 
otherwise. In characteristic 2, step 6 modifies k e {(mo — 1)/2, (r— mo — 1)/2} 
such that in any characteristic, step 7 recovers m = mo. 

The condition in step 8 follows the case distinction from (3.25). 

• If 5 = 1, we have 

gcd(/[-™,/') = ^r-mo^e(rno-l)^*e*(r-mo-l)^ 
gcd(/[-"*-\ /') = ^^r-mo-lJJ<n^o-l)JJ^e*(r-mo-l)^ 

and therefore /a = (/? in step 9. 

• If (5 = 0, we have 

f/\c{f) = (^"»o(r-mo)-l^rno-l^*r-mo-l^ 
gcd(/[-"*-\ /') = jj7no-ljj*r-m^-l^ 

and /a = (^™-()('^-™o)-i after step 11. After step 13, we have /2 = </?^' for 
some ^' with p f and fz = ^^/^^^^ = ^ after step 14. 
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In any case, we have fs — {x + Wo){x — bo + wq) with distinct roots —Wq 
and 60 ^ '^'0 and step 16 and 17 do not return "failure". In step 18, we have 
either b = bo and w = Wq, ot b = —bo and w = Wq — bo- In the latter 
case, we rewrite / = M{ao,bo,mo)^'^"^ as M{—ao*, — 60 ; ""^o according 
to Proposition 3.18 (iv). We now have determined m, b, and w such that 
/ = M{ao,b,mY'^\ The leading coefficient of /' is —m^ao{b — aob^~^) by 
(3.19). Step 19 yields Oj = Oq for some i e {1,2} and step 21 identifies 
a = flo- 

For the costs over F = ¥q, we have 0(M(n) logn) field operations for 
the gcds, quotients, and products in steps 3, 9, 11, and 14. The binary 
search in step 5 also requires at most 21og2n multiphcations for 0(M(n)) 
field operations each. The p^th root in step 13 and the polynomial square 
root in step 2 take O(nlogg) field operations each. The cost of O(logg) field 
operations for the square roots in steps 17 and 19 is dominated by these. □ 

4 Relation to function fields 

In this section we first review the well-known relation between decompo- 
sitions of polynomials and rational function fields. Then we derive some 
results about the ramification in such fields that come from proper collisions. 
Doing so we follow ideas of Dorey & Whaples (1974) and Zannier (1993). In 
Section 5 these results will be used in the classification of proper collisions 
at degree p^. The following and an earlier form of the classification can also 
be found in Blankertz (2011). 

Let F be a field of characteristic p and = F be an algebraic closure of 
F. Let / G Pn{K) with non-zero derivative /' 7^ and let t be transcendental 
over K[x). Then f — t & K{t)[x] is irreducible and separable over K{t). Let 
a e K{t) be a root oi f — t. Then K{t)[a] = K(a) is a rational extension of 
K(t) of degree n. 

Fact 4.1 (Fried & MacRae (1969)). Let f G Pn{K) with f ^ and let a 
be a root of f — t G K{t)[x]. Let TZ—{h& Pm{K) : m\n and there is a g El 
Pn/m{K), such that f — goh} be the set of right components of f and M. be 
the set of intermediate fields between K{a) and K{t) . Then the map TZ ^ A4, 
h ^ K{h{a)) is bijective. 

The minimal polynomial of a over K{h{a)) is h{x) —h{a). Thus we have 
[K{a): K{h{a))] = dcg{h). 

We make use of the notion of the different exponent | P) of a place 
^ in K{a) lying over a place P in K{t). Mainly we need the following facts 
about the different exponent; for a definition and further facts see Stichtenoth 
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(1993), Section III. 4. A place ^ is unramified over P if and only if \ 

P) = 0. If ^ is tamely ramified over P, then | P) = | P) — 1. Since 
K is algebraically closed, the relative degree of *P | P equals one. Thus, if P 
is tamely ramified, we get 

Y,d{^\P)^n-p, (4.2) 

where p is the number of places in K{a) lying over P. 

The following results tell us more about the ramification in rational func- 
tion fields over K. 

Fact 4.3 (Fried & MacRac (1969), Proposition 3.2.). The place at infinity 
in K{t) is totally ramified in K{a). 

Fact 4.4 (Stichtenoth (1993), Proposition III.5.12). Let E \ K{t) he a finite 
separable extension. Let P he a place in K{t) and ^ he a place in E which 
is totally ramified over P. Let n he a prime element o/^P and ip its minimal 
polynomial over K{t). Then d{^ \ P) = v<;p{ip' (tt)) , where v<;p is the valuation 
at q3. 

Lemma 4.5. Let P^o he the infinite place of K{t) and he the place in 
K{a) over P^. Then rf(<Poo | Poo) = 2n - 2 - deg(/') and 

J2 d(^\P)^deg(f). (4.6) 

finite 

Proof. If p f n we have deg(/') — n — 1 — d{^oo I -Poo)- Thus assume 
p I n. Since ^oo is totally ramified we can apply Fact 4.4. We have that 
is a primitive element of ^oo- Let ip be the minimal polynomial of a~^. 
We have = a^"(/(a) — t) = f{a~^) — ta~"', with / being the reversal of 
/. Since / is original we have deg(/) < n. Then — t~^f{x) is a monic 
polynomial, and since [K{a~^) : K{t)] — n, we get tp — — t~^f{x). Thus 
we have ^p' = -t~'^f'{x) and Fact 4.4 yields d{^oo \ Poo) = Voo{ip'{a.~'^)) = 
Voo{,—t~^f'{a~^)) = Voo{—t~^)+Voo{f'{o:~^)). Since t~^ is a primitive element 
of Poo we have 'yoo(~^~^) = Let dj be the coefficients of /. Then by the 
strong triangle inequality we get foo(/'(ct~^)) > min{foo(i%Q;~*^-'"^^) | jdj ^ 
0} and equality since we have Voo(j%q;~^^~^^) = j + l 7^ i + l = v^{idiar^^~^^) 
for all % 7^ J. The (j — l)-th coefficient of /' is nonzero \i p \ j and dj 7^ 0. 
But since p \ n this is the case if and only if p { (n — j) and the {n — j)-th 
coefficient of / is nonzero. Thus, the last nonzero coefficient in /' is the first 
nonzero coefficient in /'. Hence foo(/'(ct^^)) = n — (deg(/') + 1) — 1 and 
therefore d{^oo \ Poo) = 2n - 2 - deg(/'). 
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By the Hurwitz Genus Formula we have 2g'-2^ [K{a) : K{t)\{2g - 2) + 
I P), where g and g' are the genera of K{t) and K{a), respectively; 
see Stichtenoth (1993), Theorem III. 4. 12. In our case we have g = g' = 
and thus obtain Xl^p \ P) = 2[K{a) : K{t)] - 2 = 2n - 2. By subtracting 
c^(^oo I Poo) we get Eqj finite | P) = 2n - 2 - (2n - 2 - deg(/')) = 
deg(/'). □ 

If we assume that there is no finite wildly ramified place, then the second 
proof of Lemma 2 in Dorey & Whaples (1974) derives (4.6) with elementary 
methods. 

Fact 4.7 (Dorey & Whaples (1974)). Let M and M* be two intermediate 
fields of K{a) \ K{t) such that MM* — K{a) and let q and q* he finite places 

in M and M* , respectively, over a place P in K{t). Let the ramification 
indices e = e(q | P) and e* = e(q* | P) be not divisible by the characteristic 
of K . Then there are gcd(e,e*) places ^ in K{a) which lie over q and over 
q*. Moreover, for such a place we have e(^ | P) = lcm(e,e*). 

This result is proven in Dorey & Whaples (1974) with the assumption 
that the characteristic of K is zero. Without the assumption about the 
characteristic it follows from Abhyankar's Lemma; see Stichtenoth (1993), 
Proposition III.8.9. Indeed, by this lemma we find that for a place ^ in 
K(a), which lies over q and over q*, the ramification index e(*P | P) equals 
lcm(e, e*). Then we proceed as in Dorey & Whaples (1974) by computing 

over q,q* 

and compare the K{t) -dimensions, where L^ denotes the completion of a 
field L with respect to a place P in L. 

For the rest of this section consider the following setup. Let / G Pp2[K) 
with /' 7^ and a 2-collision {{g,h), {g*,h*)}. Let a e K{t) be a root of 
f — t. There are two intermediate fields M and M* of K{a) \ K{t) that 
correspond to {g-ih) and {g*,h*), respectively. Throughout this section let 
q, q*, and ^ denote places in M, M*, and K{a), respectively. We have 
that M = K{h{a)) and g — t i?, the minimal polynomial of h{a) over K{t). 
Thus finite '^('l I ^) ^ deg((7'), by (4.6). Since h — h{a) is the minimal 
polynomial of a over M we have X]<p finite I l) ~ deg(/i'). The analog 
holds for M*. Figure 1 illustrates the relation between these field extensions 
and their respective minimal polynomials. 

First we will see that we can apply Fact 4.7 in this setup. From this we 
derive Lemma 4.12 and Lemma 4.13, which are essential for the classification 
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K{a) 




M M* 




Figure 1: Lattice of subfields 

in Section 5. Finally we translate these results back into the language of 
polynomials. 

Since M ^ M* and [K{a) : M] = p we have MM* = K{a) and, since 
/' 7^ 0, there is no finite place in K{t) that is wildly ramified in K{a). Thus 
we are indeed in the situation where we can apply Fact 4.7. As in Dorey & 
Whaples (1974) we need the notion of extra places. 

Definition 4.8. Define 

i{P,M*\K{t)) = Y,d{cC\P), 

q*|P 

i(P, K{a) I M) = ^ I n M). 
<p|p 

We call a place P extra in M* if i{P, M* \ K{t)) > i{P, K{a) \ M). 

By Fact 2.5 we have deg2(/i) = deg2(5'*). Since the degree of h and g* 
is p we have that the second degree is the degree of the derivative plus one 
and thus deg(/i') = (ieg{g*'). Then we get d{cC ^ \ Poo) = 2p - 2 - deg(5f*') = 
2p — 2 — deg(/i') — d{^oo \ loo), which proves that Poo cannot be extra in 
M*. 

Let P be a finite place in K{t) and let q and q* be places over P in M 
and in M*, respectively. Set e = e(q | P) and e* = e(q* | P). For a place ^ 
over q and q* we have 

e(q3 I P) = e(q3 I q) • e (4.9) 

and e(*p | q) = e(^ | P)/e = lcm(e,e*)/e. Thus Y.^\^* I q) = 
gcd(e, e*) • (lcm(e, e*)/e — 1) = e* — gcd(e, e*). We define 

c(q,q*) = ^d(q3|q) = e*-gcd(e,e*) 
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and have i{P, K{a) \ M) = Xlq,q* c(q, q*). 

Lemma 4.10. Let P he a finite place in Kit). Then ^q|pc(q, q*) > e(q* | 
P) — 1 for all places q* over P. 

Proof. Let P = Y[i=o 1? ™ ^ ■ ■'^'-'^ ~ gcd(ei | < i < we have 
d \ Yli^i = P- If > 1 then we would have d = p and P would be wildly 
ramified in M, which cannot be. Thus d — 1. 

Let q* be a place over P with ramification index e* = e(q* | P). Then as 
above we have c(q;,q*) = e* — gcd(ej,e*). If e* = 1 we have X]iC(qj,q*) = 
^^(e* — gcd(ej,e*)) = = e* — 1. Thus assume e* > 1. Then e* cannot 
divide Cj for all i, since their gcd is one. We distinguish two cases: 

Case 1: e* divides all but one places q over P in M. Then let qo be the 
place such that e* f Cq. The gcd of e* and Bq divides e* and thus divides all 
ramification indies of places over P in M. But their gcd is one. Thus the 
gcd of e* and cq is one and we have J2q\p ^(q, q*) > c(qo, q*) = e* — 1. 

Case 2: There are at least two places, say qi and q2, over P in M 
such that e* f for i = 1,2. Then we have e*/ gcd(ei,e*) > 1 and thus 
gcd(ei,e*) < e*/2. Hence e* — gcd(ej,e*) > e*/2 and thus X]iC(qi,q*) > 
c(qi, q*) + c(q2, q*) > e* > e* — 1, as claimed. □ 

Corollary 4.11. There is no finite place in K{t) which is extra in M* . 

Proof. Let P be a finite place. By Lemma 4.10 we have c(q, q*) > e(q* | 
P) - 1 for all q*. But then i{P,K{a) \ M) = Ec,<,* c(q, q*) > Ec*(e(q* | 
P) - 1) = i(P, M* I K{t)) which shows that P is not extra in M*. □ 

By the Hurwitz Genus Formula 
^ i(P, M* I K{t)) = J2 d{c\* I P) = 2p - 2 = ^ i(P, | M). 

P q*|P P 

Since there are no extra places in M* we get i{P, M* \ K{t)) — i{P, K{a) \ M) 
for all places P. 

Lemma 4.12. Let P he a finite place in K{t) . Then the following statements 
hold: 

(i) For each ramified place q* over P in M* the ramification index e{q* | P) 
divides e(q | P) for all hut exactly one place q over P in M. 

(a) For each ramified place q over P in M the ramification index e(q | P) 
divides e(q* | P) for all hut exactly one place q* over P in M*. 

(Hi) P is ramified in M if and only if it is ramified in M*. 
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Proof. To prove (i), we claim that the second case in the proof of Lemma 4.10 
does not occur. For q* faUing into case 2 we had seen that X]c,|pc(q, q*) > 
e(q* I P). Set e(q*) = 1 if q* falls into this case and ^(q*) = else. Then 
we have in any case X^q|pc(q,q*) > e(q* | P) — 1 + ^(q*). Hence we get 
i{P,K{a) I M) = E,,,*c(q,q*) > E,* e(q* I P) " 1 + ^(q*) = ^P.M* \ 
K{t)) + Ec,.^(q*)- But since i{P,M* \ K{t)) = i{P,K{a) \ M) we have 
Eq* £(1*) — 0- This proves the claim. 

The second statement can be proven analogously to the first one, by 
interchanging the role of M and M* in the previous results. 

Finally, if P is ramified in M* then by (i) there is a place q* with 1 < 
e(q* I P) I e(q | P) for some place q in M. Thus P is ramified in M. The 
other direction follows in the same way from (ii). □ 

Lemma 4.13. There is at most one finite place in K{t) that is ramified in 
M. Moreover if there is a place that is ramified in M then it has at most one 
unramified factor. 

Proof. Let P be a finite place in K{t), which is ramified in M. Assume there 
is a place q such that e(q | P) = 1. Then E<;p|q "^(^^ I q) = Eq* c(q, q*) > 
Eq*(e(q* I P) — 1) = i(P, M* | K{t)). If there are two unramified places 
qi and qs over P then i{P,K{a) \ M) > E<^\^,d{^ I qi) + E>p|q, I 
qa) > 2i{P,M* \ K{t)). But since i{P,K{a) \ M) = i{P,M* \ K{t)) this 
can only be if i{P, M* \ K{t)) = 0. Hence P is unramified in M* and by 
Lemma 4.12 unramified in M, in contradiction to our assumption. Thus 
there can be at most one unramified place over P. If p denotes the number 
of places in M over P we have 1 + 2(p — 1) < '^e{q \ P) = p and thus 
p < {p+ l)/2. Therefore i(P, M \ K{t)) = p- p > {p-l)/2. But since 
Ep finite ^(-^' I -^(^)) — deg(5'') < p — 1, there can be at most one such a 
place in K{t). □ 

Corollary 4.14. There is at most one finite place in K{t) that is ramified 
in K[a). 

Proof. Assume ^ is ramified over P. Then e(^ | P) = e(^ | q)e(q | P) > 1. 
Thus at least one of e(*P | q) and e(q | P) is greater than 1. Suppose 
e(q3 I q) > 1. Thus ^ i{P,K{a) \ M) = i{P,M* \ K{t)). Hence P is 
ramified in M* and thus ramified in M. But by the previous lemma there is 
only one such place. □ 

Now we are equipped with the tools from ramification theory which we 
need for the classification in the next section. We translate these results into 
the language of polynomials. 
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Let F be a field of characteristic p and / e Pn{F). As before, let K 
denote an algebraic closure of F and K{a) \ K(t) be the field extension 
by a root a oi f — t. Then each finite place P in K{t) corresponds to a 
monic and irreducible polynomial in K[t]; see Stichtenoth (1993), Section 
1.2. This polynomial is linear, since K is algebraically closed, say of the form 
t — c with c & K. In K{a) we have t — c = f{a) — c = YldTi'^)^ where 
Y[9i^ is a factorization of / — c into irreducible factors in K[x]. The Qi are 
linear and correspond to places in K(a). Then divides P. Since 
^ Cj = deg/ = [-^'(q;): -ft'(t)], we obtain a factorization P = H^?- Thus 
the multiplicities in / — c correspond to the ramification indices of P, that 
is e, - e{% I P). 

For a root a G -ft' of a polynomial /, we denote by multa(/) the multiplicity 
of a in /. We reformulate the results above as follows. 

Proposition 4.15. Let f e Pp^iF) with /' 7^ and a 2-collision {{g, h), {g*, h*)}. 
Let c & K. Then the following hold. 

(i) g ~ c and g* — c have the same number of roots in K. 

(a) The gcd of all multiplicities in g — c is 1, that is 

gcd (multa(gi — c): a & K with g{a) — c) — 1. 

(Hi) For all c & K and all roots a of f — c the multiplicity multa(/ — c) — 
mult^(a)(5r - c) multa(/i - h{a)). 

(iv) For all roots a and a* E K of g — c and g* — c, respectively, there are 
exactly gcd (multa(5' — c), multa* {g* — c)) roots b & K of f — c such that 
h{b) — a and h*{b) — a*. Furthermore for each such root b we have 

iribif - c) = 1cm (multa(5( - c), mult^* {g* - c)) . 

(v) If f — c is squareful, then g — c is squareful and has at most one simple 
root. 

(vi) If f — c is squareful, then for each root a of g — c, the multiplicity 
multa (g' — c) divides mb{g* — c) for all roots b of g* — c but exactly one. 

(vii) Either there is exactly one cq & F such that f — cq is squareful, or else 
f — Co is squarefree for all cq & K. 
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Proof. For (i) , let p and p* be the number of roots m. K ol g — c and g* — c, 
respectively. Then by the correspondence of ramification indices and multi- 
plicities, (4.2), and Lemma 4.5, we have deg{g') = p — p and deg{g*') — p — p* ■ 
But (\eg{g') = deg{g*') from Fact 2.5 implies that p = p*. 

From deg{g — c) = p and {g — c) 7^ we have (ii). The claims (iii), 
(iv), (v), and (vi) follow from (4.9), Fact 4.7, Lemma 4.13, and Lemma 4.12, 
respectively. 

By Corollary 4.14 there is at most one cq in K such that f — cq has 
multiple roots. Assume there is such a cq. Then for each automorphism a of 
K that fixes F, f — a{co) = a{f — cq) has multiple roots and thus cr(co) = cq. 
This shows that Cq G F. □ 



5 Classification 

In this section we provide a classification of proper collisions at degree 
over F. In the next section we use this classification to count decomposable 
polynomials over Fg, but the classification holds for arbitrary fields F of 
characteristic p > 0. Theorem 5.1 states the classification, and its proof 
takes the rest of this section. 

Theorem 5.1. Let f e Pp2{F) with a 2-collision {{g,h),{g*,h*)}. Then 
exactly one of the following holds. 

(F) The polynomial f is a Frohenius collision as in Example 2.2. 

(S) There are w E F , u, s & F^ , e e {0, 1}, and a positive integer m dividing 
p — 1, such that 

f(^^ = S{u,s,e,m), 

as in (3.2). Furthermore, there is some t E F, such that {g,h)^'^^ is of 
the form as in Fact 3.1. 

(M) There are w E F, b E F^ , a E F \ {0,lf}, and an integer m with 
1 < m < p — 1, such that 

f^^^^M{a,h,m), 
as in (3.15) and {g,h)^^^ is of the form as in Theorem 3.I4. 

Let / e Pp2(F) with a 2-collision {{g , h) , [g* , h*)} and kk be the algebraic 
closure of F. By Lemma 2.3 (i), / is a Frobenius collision if and only if /' = 0. 
Thus we assume for the rest of the section that /' 7^ and prove that / falls 
either into case (S) or into case (M) of Theorem 5.1. 



24 



We first consider the case where / — c is squarefree for all c & K. Then 
g — c is also squarefree for all c G -ft' in Proposition 4.15. Let 6 G -ft' be 
a root of g' . Then with g — g{b) = {x — b)G we have g' = {x — b)G' + G 
and thus G{b) = 0. Hence (,x — b) divides g — g{b) twice, contradicting the 
squarefreeness ol g — g{b). Thus g' is constant. Since g is monic original 
of degree p, we have g — x'^ -\- ax for some a & F. We claim that for any 
6 G -ft', — 6 is squarefree; the same argument then shows that also h is 
additive. So let a G -ft' be a root of h — b. Then a is a root of / — g{b) with 
multiplicity 1 = multa(/ — g{b)) = mult5(5' — g{b)) ■ multa(/i — b) by (iii) in 
Proposition 4.15. Thus multa(/i — b) = 1, as claimed. Since g and h are 
additive, also / is additive and hence falls into case (S) . 

Now consider the case where there is some c & K such that / — c is 
squareful. There is exactly one such c G -F by Proposition 4.15 (vii). Thus 
we assume for the rest of this proof that / — c is squareful. Then we define 
the following two cases. If / — c has a simple root we call / simply original, 
otherwise we call / multiply original. 

The next two lemmas deal with simply original and multiply original 
polynomials separately. In both cases we use the following notation. 

Let (g.h) and {g*,h*) be two decompositions of /. Setting d = dcg2(5'), 
we have d = deg2(5'*) = deg2(/i) = deg2(/i*) by Fact 2.5. Since / is not 
additive, we have A; > 1. Let £ — p — d and p be the number of roots of g — c 
in K. Then p is also the number of roots of g* — c in K by Proposition 4.15 (i). 
As in its proof, we have deg(5'') = d — 1 = p — p. Thus p = p — d+l = i+l. 

Let ao, ■ ■ ■ ,af and Cq, . . . , be the roots in -ft' of (? — c and g* — c, re- 
spectively, and let = multa.(5f — c) and e* = multa*(5'* — c) be their 
multiplicities. 

Lemma 5.2. Any simply original polynomial falls into case (S) of Theo- 
rem 5.1. 

Proof. Let / be simply original and {g,h), {g*,h*), d, i, ai, a*, Cj, e* be as 
above. By assumption f — c has a simple root, and therefore also g* — c. We 
may assume that the simple root is and Cq = 1. By Proposition 4.15 (v) 
Oq is the only simple root. Let Cq be the multiplicity in g — c that is not 
divided by If Cq 7^ 1, then it does not divide Cq = 1 and thus it divides 
e* > 1. But this would imply that divides all other multiplicities in g — c, 
which is ruled out by Proposition 4.15 (vi). Thus we have cq = 1. Then e* 
divides all multiplicities of g — c that are greater than 1, and the other way 
round. Thus all these multiplicities are equal, say we have m — Si — e* for 
all 1 < i < Thus g — c = {x — ao)^™, with ao G F and a squarefree monic 
polynomial g over F of degree £. Furthermore, £m — p — 1. 
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For each root a of / — c, h{a) and h*{a) are roots of g — c and g* — c, 
respectively. By Proposition 4.15 (iv), multa(/ — c) = lcm(mult/i(a)(5' — 
c), m.u[th*{a)ig* ~ c)) is either m or 1. More precisely mu\ta{h — h{a)) = m if 
and only if mu[th(a) (fi* ^ c) = 1 and multh*{a) {g* — c) = m. Thus only h — ao is 
squareful and has the same multiplicities as g* — c. Thus h — aQ = {x — w)h'^, 
with w & F and a squarefree monic polynomial h over F of degree i. We 
have f{w) — g{h{w)) — g{ao) — c. Now we shift as follows: 

= [x—c)ofo(^x+w) = {x—c)ogo(^x+ao)o(^x—aQ)oho[x+w) = xg'^'^oxh^, 

with g = g o (x + Oq) and h — ho [x + w). For simplicity we rename f^'^\ 
g{h{w)) ^ and Z?/*^') as /, and /i, respectively. 

Next we determine the form of g and h. The derivative oi g = xg^ is 
gi _ gi^-^(^g -|- mxg'). Thus d — 1 = (\cg{g') = (m — 1)£ + deg(^ + mxg') — 
d — deg{g + mxg') and deg(5' + mxg') = 0. If gi are the coefficients of g, 
then ^ + mxg' — + mi)giX^ and we have (1 + mi)gi — for all i with 
1 < i < £. Since 1 + mi 7^ in F for 1 < i < i, this is the case only if 
gi = for these values of i. Thus we get g — {x^ — go) and ^0 7^ 0. The same 
argument applies to h. 

Thus we can write g = x{x^ — a)™ and h — x{x^ — 6)"* for suitable a and 
6 in F^. Then 

/ = x{x^ - b)'^{{x{x^ - b)"")^ - a)™ = x{x^'^P+^'> -Hf + a)x^ + ab)"^. 

If 6^ + a = 0, we set e = 0, s = 1, t = 6, and u = ab. Else we set e — 1, 
s = ab/{V + a), t = 6/s, and u = ab/s^^^. In both cases, u, s, and t are 
in Fj the equations — eut + u = 0, b = st, and a = us^t~^ hold, and 
f = g o h = S{u, s,6,m), and the polynomial we started with equals f^^'"\ 
as claimed. □ 

For the multiply original case, we need the following lemma. 

Lemma 5.3. Let G = (V, E) be a directed bipartite graph, with bipartition 
V = AU A*. Assume that jj^A = jj^A* = i+l> 2 and the outdegree of each 
vertex equals i. Then some vertex in A is connected to all other vertices in 
A by a path of length 2. 

Proof Let A = {0, ... , i}, A* = {0*, t}, and M and M* be the adja- 
cency matrices having for each edge from i to j* and from i* to j, respectively, 
the entry 1 at position {i,j) and entries everywhere else. The assumptions 
imply the following. 

(i) M has in each row at most one entry 0. 
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(ii) M* contains at most £ + 1 entries 0. 

If every column of M* contains at least two I's, then M ■ M* has only 
positive entries, because of (i). Therefore, there is always a path of length 2 
from any vertex in A to any other one. Alternatively, M* has a column that 
contains at most one 1. Because of (ii), every other column of M* contains 
at most one 0. Because of £ + 1 > 2 and (i), all positions with j' ^ j 

in M ■ M* are positive. Starting from vertex j we can reach all other j' by a 
path of length 2. □ 

Thanks go to Rolf Klein for this proof, much simpler than our original 
one. 

Lemma 5.4. Any multiply original polynomial falls into case (M) of Theo- 
rem 5.1. 

Proof. Let / be multiply original and {g,h), {g*,h*), d, i, ai, a*, Cj, e* be 
as above. Since / is multiply original, we have Cj, e* > 1. Indeed g — c is 
squareful by Proposition 4.15 (v) and if g — c would have a simple root then 
g* — c would have one, as well, by the same argument as in the beginning 
of the proof of Lemma 5.2. But then / — c would have a simple root by 
Proposition 4.15 (iv), in contradiction to the assumption that / is multiply 
original. 

We claim that i = 1. To this end, we translate Proposition 4.15 (vi) 
into the language of graphs. Let V = A U A* he the set of vertices, with 
disjoint A and A* being two distinct set, say A — {i: < i < £} and 
B = {i* : < i < i}. Let the set E of edges consist of all with Cj | e* 

plus all with e* | ej. Then this yields a directed bipartite graph with 

outdegree i for each v E V hj Proposition 4.15 (vi). 

If £ > 1, then by Lemma 5.3 some vertex i in A is connected to all other 
vertices in A. Then ej divides all other multiphcities in A, which contradicts 
Proposition 4.15 (ii). Hence £ — 1 and therefore g — c— (x — ao)"^(x — Oi)*'""^ 
and g* — c = {x — ag)'"(,T — a*)^"™, with 1 < m < p — 1 and ao, 04, ap, and al 
in K. For each automorphism a of K fixing F, we have g — c = a(g — c) = 
{x — a{ao))™'{x — a{ai)y~"^. By unique factorization and m ^ p — mwe have 
ao = cr{ao) and ai — a{ai). Thus ao, ai e F. 

By Proposition 4.15 (iv) there is one root 6 e F of h—ao with mb{h—ao) — 
\cm{m,p — m)/m = p — m and there are gcd(m,m) = m roots b' of h — 
with multf,'(/i — ao) = lcm(m, m)/m = 1. Thus h — ao = {x — bY^"^H for 
some monic squarefree polynomial H of degree m. Similarly we get h — ai — 
{x — h)'^H* with squarefree H*. We set m* — p — m, shift / by 6, rename 
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/(^^ as / and b as 6, and then may assume the form 

g = x'^ix-a)"'*, 

h = x"'*H, h-a = {x-h)'^H*. 

Moreover under this shift there are a*,b*,b* G F and squarefree polyno- 
mials H, H*, such that ((/*, h*) is either of the form 



h* ^ {x-b*rH*, h* - a* = {x-b*r*H, 

or of the form 

h* ^{x-b*)""'!!, h* -a* ^{x-b*rH*. 



(5.5) 



(5.6) 



We will show that we can shift (5.6) into (5.5), and then compute H and 
H*. First assume (5.6). Then 

By unique factorization and comparison of multiplicities, we find H = H and 
H* = H*, and h ^ h* implies that 6* = and h* = b. Then we shift / by b, 
redefine the parameter b = —b, and interchange the roles of m and m*, and 
H and H*, respectively. This leads to the form 

g = x"'{x-a)"'\ 

h = x"'*H, h-a=(x-brH*, , ^ 

5.7 

g* = (a; _ a'-yn, 

h*^x'^H\ h* -a* = {x-br*H. 

Mutatis mutandis we bring (5.5) into this form. From (5.7), we can 
determine H and H* as follows. We have 

x'^''H -a^{x- b^H*, 
x"'H*-a* = {x-b)"'*H, 

xPH - ax"^ = x'^ix - b)"'H* = (x - b)"'{{x - b)"^' H + a*) 
^x^H + FH + a^x-b)"", 
H = ab-^x"^ + a*b-P{x - 6)™ 

= (a + a*)b-Px'^ + a*rf ((x - b)"^ - x"^). 

Since H is monic, we have a-\- a* — l^. Similarly we find 

H* ^x"^* +ab-P{{x-b)'^* -x"^*). □ 
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Lemmas 5.2 and 5.4 finish the proof of Theorem 5.1. In the proof of 
Lemma 5.4 we have transformed (5.6) into (5.5). One could try to do it the 
other way round to obtain a more symmetric form, but a shift from (5.5) to 
(5.6) may only exist over an extension of F. 

Corollary 5.8. A 2-collision in case (M) is maximal. 

Proof. Let {{g, h), {g*, h*)} be a 2-collision in case (M) with ^ g o h ^ 
M(a,b,m) for some a, b, and m as in Theorem 3.14 and dcg(/) = p^. For 
simplicity we write / = Assume that {gi, hi) collides with {g, h). Then 

by the uniqueness among the three cases in Theorem 5.1, there are w & F, 
6i e F^, ai e F \ {0, b^}, and 1 < mi < p - 1 such that 

and with the appropriate Hi as in (3.16), 

By Proposition 3.18 (iv), we have w e {0, b}. Considering the case w — b we 
find f^''^ = M{—a, —b, m) and thus (ai, 6i, mi) e {(—a, — m)., (—a*, —6, m*}, 
by Proposition 3.18 (iii). Since {g,h) ^ {gi,hi) we have mi ^ m and 
thus ai = -a*, bi = -b, and mi = m*. But then hi^''^ = (/i*)^^) and 
g^{hi{b)) _ (^g*'j{h* (b)) g^j^^ ^Yius hi = h* and gi = g*. We proceed similarly in 
the case w — 0. □ 



Algorithm 5.9: Collision determination 



Input: polynomial / e Pp2{F) with all fi^F 

Output: (F), (S), (M) as in Theorem 5.1, if / is a 2-collision, or "no 
collision" 

1 if / e F[xP] \ {xP^} then return (F) 

2 if Algorithm 3.11 does not return "failure" on input f then 

3 
4 



let u,s,e,m,w,k be the output of Algorithm 3.11 on input / 
if A; > 2 then return (S) 

5 end 

6 if Algorithm 3.21 does not return "failure" on input f then 

7 I return (M) 

8 end 

9 return "no collisiorr 
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Theorem 5.10. Algorithm 5.9 works correctly as specified. If F — ¥q and 
n — p^ — deg /; it takes 0(M(n) logn + n log q) field operations. 

The correctness follows from Theorem 5.1. Its cost is dominated by that 
of Algorithm 3.21. If / is found to have a collision, then that can be returned 
as well, using Example 2.2 for (F). 



6 Counting at degree 

The classification of the collisions of compositions at degree p^ yields the 
number of decomposable polynomials over a finite field F^. 

The maximality in the definition (2.1) of C„ ^ provides the partition 

Dn{^,)^[j^^Cn,k{^,). (6.1) 

Theorem 6.2. Let p he a prime and q a power of p. For k > 1, we write 
Cfe for #Cp2 fc(Fq) as in (2.1), 5 for Kronecker's delta function, and r for the 
number of positive divisors of p — 1. Then the following hold. 

, . g(g-l)(g-2)(p-3) 
-(l-dp=2) , (6.3) 

, _ «-i _ . ^ (Tg-g + l)(g-l)^(p-2) 

'"^ 2(p-l) 

. , g(g-l)(g-2)(p-3) 
+ (l-()p=2) ^ , (6.4) 

_ (rg-g + l)(g-l)(g-p) 
cp+i - ^(^^31) ' ^^-5) 

Cfe = 0, i/A;^{l,2,p+l}. (6.6) 



Proof. We consider = Cp2 fc(Fq). For k > 2, Theorem 5.1 provides the 
partition 



where the sets on the right-hand side correspond to the cases (F), (S), and 
(M), respectively. Lemma 2.3(ii), Fact 3.13, and Corollary 3.20 imply that 



qP-^ - 1 if A; = 2, 
otherwise. 
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iS) 



f (rg-g + l)(g-l)^(p-2) 
2(p - 1) 
(rg-g + l)(g-l)(g-p) 



if A; 



p(p2 - 1) 







(M) 
k 



if = p + 
otherwise, 

3 otherwise. 



Summing up yields the exact formulas (6.4), (6.5), and (6.6). Finally, 
there is a total of q^^'"^ pairs {g, h) e Ppi^q) x Pp{¥g) and therefore (6.3) 
follows from 

k>l 

The partition (6.1) now yields the main result of this paper, namely the 
following exact formula for the number of decomposable polynomials of de- 
gree over ¥q. 

Theorem 6.7. LetFg be a finite field of characteristic p, 5 Kronecker's delta 
function and r the numbers of positive divisors of p — 1. Then 



- (1 - S,=2) 

Proof. The claim follows from 



(gr - g + l){q - l){qp - p - 2) 
2(p + l) 
g(g-l)(g-2)(p-3) 



A;>1 



For p — 2, this yields 

#D4(F,) = q' 



□ 



2 2 + g-2 



consistent with the result in von zur Gathen (2010a). Furthermore, we have 
#D9(F,) = g^ (^1 - ^q-\l + q-' - q-' - g"^)^ for p = 3, 



#D,2(¥g) = g^^'-^ (1 - q-P+^ + ©(g-^^'+^+i/d)) 



for p = g^/*^ > 3. 



With r = 0{p^) for all £ > 0, see Apostol (1976), we have the following 
asymptotics. 



31 



Corollairy 6.8. Let d > 1, q — p''', and e > 0. Then 

C2^q^-\l + 0{q~P+'+'/'')), 
Cp+i = O (g3-3/<i+s/<^) . 

Von zur Gathen (2009) considers the asymptotics of u^^q = 
where £ is the smallest prime divisor of n. It turns out that for any composite 

n, limsupq_^oo z/^.g = 1, and that liminf^^oo J^n,q = 1 for many n, but when 
n = i"^ determining the limes inferior was left as an open question. From 
Theorem 6.7, we obtain 

hm i/n g = 1 

q-^oo 

for i > 2. For n — A, the sequence has no limit, but lim sup 1/4^5 = 1 and 

q—>-oo 

liminf — 2/3. 

g— >-oo ' 

7 Conclusion 

In the wild case, we considered equal-degree collisions in the special case 
where the degree is for a power r of the characteristic p. For r = p, we 
determined their structure and number. We gave a classification of all proper 
collisions at degree p^ and an algorithm which determines whether a given 
polynomial has a collision, and if so, into which class it falls. We computed 
the exact number of decomposable polynomials of degree p^ over finite fields. 

Von zur Gathen (2009) shows asymptotics on z/„ ^ for g — )> 00 which are 
tight except when n = i'^ and when £^ is a proper divisor of n with n not 
divisible by for its smallest prime divisor £. The first case finds a positive 
answer in this paper. The latter case remains open. 

Ritt's Second Theorem covers distinct-degree collisions, even in the wild 
case, see Zannier (1993), and they can be counted exactly in most situa- 
tions, see von zur Gathen (2010b). It would be interesting to see a similar 
classification for general equal-degree collisions. 

8 Acknowledgments 

Many thanks go to Mike Zieve for useful comments and pointers to the liter- 
ature and to Rolf Klein for simplifying the proof of Lemma 5.3. 

This work was funded in part by the B-IT Foundation and the Land 
Nordrhein- Westf alen . 



32 



References 



T. M. Apostol (1976). Introduction to Analytic Number Theory. Springer- 
Verlag, New York. 

Roberto M. Avanzi & Umberto M. Zannier (2003). The equation 
/(X) = f{Y) in rational functions X = X(t), Y = Y{t). Compositio 
Math. 139(3), 263-295. 

David R. Barton & Richard Zippel (1985). Polynomial Decomposition 
Algorithms. Journal of Symbolic Computation 1, 159-168. 

Raoul Blankertz (2011). Decomposition of Polynomials. Diplomarbeit, 
Universitat Bonn, Bonn. URL http://arxiv.org/abs/1107.0687. 

John J. Cade (1985). A New Public-key Cipher Which Allows Signatures. 

In Proceedings of the 2nd SIAM Conference on Applied Linear Algebra, 
Raleigh NC All. SIAM. 

Stephen D. Cohen (1990). Exceptional polynomials and the reducibility 
of substitution polynomials. Enseign. Math. (2) 36(1-2), 53-65. ISSN 
0013-8584. 

Robert S. Coulter, George Havas & Marie Henderson 
(2004). On decomposition of sub-linearised polynomials. Jour- 
nal of the Australian Mathematical Society 76(3), 317-328. URL 
http : / /www . math . udel . edu/~coulter/papers/ indecompsublin . pdf . 

F. Dorey & G. Whaples (1974). Prime and Compos- 

ite Polynomials. Journal of Algebra 28, 88-101. URL 

http : //dx . doi . org/10 . 1016/0021-8693 (74) 90023-4. 

Michael D. Fried & R. E. MacRae (1969). On the invariance of chains 
of Fields. Illinois Journal of Mathematics 13, 165-171. 

Joachim von ZUR Gathen (1990a). Functional Decomposition of Polyno- 
mials: the Tame Case. Journal of Symbolic Computation 9, 281-299. URL 
http : //dx . doi . org/10 . 1016/S0747-7171 (08) 80014-4. 

Joachim von ZUR Gathen (1990b). Functional Decomposition of Poly- 
nomials: the Wild Case. Journal of Symbolic Computation 10, 437-452. 
URL http : //dx . doi . org/10 . 1016/S0747-7171 (08) 80054-5. 



33 



Joachim von ZUR Gathen (2008). Counting decomposable univariate poly- 
nomials. Preprint, 93 pages. URL http://arxiv.org/abs/0901.0054. 
Extended abstract see von zur Gathen (2009). 

Joachim von zur Gathen (2009). The Number of Decomposable Univari- 
ate Polynomials — Extended Abstract. In Proceedings of the 2009 Inter- 
national Symposium on Symbolic and Algebraic Computation ISSAC2009, 
Seoul, Korea, JOHN P. MAY, editor, 359-366. ISBN 978-1-60558-609-0. 
Preprint (2008) at http: //arxiv. org/abs/0901 . 0054. 

Joachim von zur Gathen (2010a). Lower bounds for decomposable uni- 
variate wild polynomials. To appear in Journal of Symbolic Computation 
34 pages. 

Joachim von zur Gathen (2010b). Shift-invariant polynomials and 
Ritt's Second Theorem. Contemporary Mathematics 518, 161-184. URL 
http : //vivvi . ams . org/bookstore?f n=20&argl=whatsnew&ikey=C0NM-518 
See the Local PDF for a corrected version. 

Joachim von zur Gathen & Jurgen Gerhard (2003). Mod- 
em Computer Algebra. Cambridge University Press, Cam- 
bridge, UK, Second edition. ISBN 0-521-82646-2, 800 pages. URL 
http://cosec.bit.uni-bonn.de/science/inca/. Other available 
editions: first edition 1999, Chinese edition, Japanese translation. 

Joachim von zur Gathen, Mark Giesbrecht & Konstantin 
ZlEGLER (2010). Composition collisions and projective polynomials. State- 
ment of results. In Proceedings of the 2010 International Symposium 
on Symbolic and Algebraic Computation ISSAC2010, Munich, Germany, 
Stephen Watt, editor, 123-130. ACM Press. Preprint available at 
http : //arxiv . org/abs/1005 . 1087. 

Mark William Giesbrecht (1988). Complexity Results on the Func- 
tional Decomposition of Polynomials. Technical Report 209/88, University 
of Toronto, Department of Computer Science, Toronto, Ontario, Canada. 
Available as http://arxiv.org/abs/1004.5433. 

Marie Henderson & Rex Matthews (1999). Composition behaviour of 
sub-linearised polynomials over a finite field. In Finite fields: theory, ap- 
plications, and algorithms (Waterloo, ON, 1997), volume 225 of Contemp. 
Math., 67-75. Amer. Math. Soc, Providence, RI. 

Dexter Kozen & Susan Landau (1989). Polynomial Decomposition Al- 
gorithms. Journal of Symbolic Computation 7, 445-456. An earlier version 



34 



was published as Technical Report 209/88, University of Toronto, Depart- 
ment of Computer Science, Toronto, Ontario, Canada, 1988. 

S. Landau & G. L. Miller (1985). Solvability by Radicals is in Polynomial 
Time. Journal of Computer and System Sciences 30, 179-208. 

Andrzej Schinzel (1982). Selected Topics on Polynomials. Ann Arbor; 
The University of Michigan Press. ISBN 0-472-08026-1. 

Andrzej Schinzel (2000). Polynomials with special regard to reducibility. 
Cambridge University Press, Cambridge, UK. ISBN 0521662257. 

Henning Stichtenoth (1993). Algebraic Function Fields and Codes. 
Springer- Verlag, 260 pages. 

U. Zannier (1993). Ritt's Second Theorem in arbitrary characteristic. 
Journal fiir die reine und angewandte Mathematik 445, 175-203. URL 
http : / /www . digizeitschrif ten . de/index . php?id=loader&tx_ jkDigiTools_pil [IDDOC] =! 

Michael Zieve (2011). Private communication. 

Richard Zippel (1991). Rational Function Decomposition. In Proceedings 
of the 1991 International Symposium on Symbolic and Algebraic Computa- 
tion ISSAC '91, Bonn, Germany, Stephen M. Watt, editor, 1-6. ACM 
Press, Bonn, Germany. ISBN 0-89791-437-6. 



35 



